Skip to content

ci: add CodeQL advanced setup#2163

Merged
Pouyanpi merged 1 commit into
developfrom
pouyanpi/fix-codeql
Jul 10, 2026
Merged

ci: add CodeQL advanced setup#2163
Pouyanpi merged 1 commit into
developfrom
pouyanpi/fix-codeql

Conversation

@Pouyanpi

@Pouyanpi Pouyanpi commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Description

Add a version-controlled CodeQL advanced setup that scans Python, JavaScript/TypeScript, and GitHub Actions with the security-extended query suite.

Verification

  • uv run --locked pre-commit run --files .github/workflows/codeql.yml
  • The first CodeQL analysis will run in GitHub Actions.

Checklist

  • I've read the CONTRIBUTING guidelines.
  • This PR links to a triaged issue assigned to me.
  • My PR title follows the project commit convention.
  • I've updated the documentation if applicable.
  • I've added tests if applicable.
  • I've noted any verification beyond CI and any checks I couldn't run.
  • I did not update generated changelog files manually.
  • I addressed all CodeRabbit, Greptile, and other review comments, or replied with why no change is needed.
  • @mentions of the person or team responsible for reviewing proposed changes.

Summary by CodeRabbit

  • Chores
    • Added automated CodeQL security analysis for JavaScript/TypeScript, Python, and GitHub Actions.
    • Security checks now run on pull requests, pushes to main development branches, scheduled intervals, and manual requests.

@Pouyanpi Pouyanpi self-assigned this Jul 10, 2026
@Pouyanpi Pouyanpi added the CI label Jul 10, 2026
@github-actions github-actions Bot added status: needs triage New issues that have not yet been reviewed or categorized. size: S labels Jul 10, 2026
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Signed-off-by: Pouyanpi <13303554+Pouyanpi@users.noreply.github.com>
@Pouyanpi
Pouyanpi force-pushed the pouyanpi/fix-codeql branch from 9e396a0 to aef9931 Compare July 10, 2026 15:21
@Pouyanpi Pouyanpi added status: triaged Triaged by a maintainer; eligible for automated review (CodeRabbit/Greptile). and removed status: needs triage New issues that have not yet been reviewed or categorized. labels Jul 10, 2026
@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR introduces a CodeQL advanced security scanning workflow that analyzes Python, JavaScript/TypeScript, and GitHub Actions code using the security-extended query suite. The workflow is net-new and represents a meaningful improvement to the repository's security posture.

  • Scanning is triggered on PRs and pushes to develop/main, plus a weekly Tuesday schedule and manual dispatch — with concurrency cancellation scoped only to PR events so scheduled/push scans always complete.
  • Actions are pinned to full SHAs rather than mutable tags, and credentials are not persisted from checkout; fail-fast: false ensures all three language analyses run independently.

Confidence Score: 5/5

Adding a new CodeQL scanning workflow with no changes to existing code — safe to merge.

The workflow follows security best practices throughout: minimal permissions scoped to the job level, SHA-pinned actions, persist-credentials: false, fail-fast: false so all three language analyses run independently, and concurrency cancellation limited to PR events so push and scheduled scans always complete. No existing code is modified.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/codeql.yml New CodeQL advanced setup workflow — well-structured with minimal permissions, SHA-pinned actions, persist-credentials: false, and correct build-mode: none for all three languages in the matrix.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Trigger] --> B{Event?}
    B -->|pull_request to develop/main| C[Cancel any in-progress run for same PR]
    B -->|push to develop/main| D[Run to completion]
    B -->|schedule: Tue 07:23 UTC| D
    B -->|workflow_dispatch| D

    C --> E[Matrix: python / javascript-typescript / actions]
    D --> E

    E --> F[actions/checkout - SHA pinned\npersist-credentials: false]
    F --> G[github/codeql-action/init\nbuild-mode: none\nqueries: security-extended]
    G --> H[github/codeql-action/analyze\ncategory: /language:matrix.language]
    H --> I[Upload SARIF results\nto GitHub Security tab]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Trigger] --> B{Event?}
    B -->|pull_request to develop/main| C[Cancel any in-progress run for same PR]
    B -->|push to develop/main| D[Run to completion]
    B -->|schedule: Tue 07:23 UTC| D
    B -->|workflow_dispatch| D

    C --> E[Matrix: python / javascript-typescript / actions]
    D --> E

    E --> F[actions/checkout - SHA pinned\npersist-credentials: false]
    F --> G[github/codeql-action/init\nbuild-mode: none\nqueries: security-extended]
    G --> H[github/codeql-action/analyze\ncategory: /language:matrix.language]
    H --> I[Upload SARIF results\nto GitHub Security tab]
Loading

Reviews (1): Last reviewed commit: "ci: add CodeQL advanced setup" | Re-trigger Greptile

@Pouyanpi
Pouyanpi merged commit 5331054 into develop Jul 10, 2026
17 checks passed
@Pouyanpi
Pouyanpi deleted the pouyanpi/fix-codeql branch July 10, 2026 15:24
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 944153a2-4d5f-46f5-b39e-40cefdc050c8

📥 Commits

Reviewing files that changed from the base of the PR and between 816a3b1 and aef9931.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml

📝 Walkthrough

Walkthrough

Adds a CodeQL GitHub Actions workflow that analyzes Actions, JavaScript/TypeScript, and Python code on repository events, a weekly schedule, or manual dispatch.

Changes

CodeQL security analysis

Layer / File(s) Summary
CodeQL workflow configuration
.github/workflows/codeql.yml
Configures triggers, concurrency, minimal permissions, a language matrix, credential-free checkout, extended CodeQL queries without a build step, and language-specific analysis categories.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Test Results For Major Changes ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding an advanced CodeQL GitHub Actions security scanning setup.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pouyanpi/fix-codeql

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI size: S status: triaged Triaged by a maintainer; eligible for automated review (CodeRabbit/Greptile).

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants